Mobile Device Management (MDM)
2108 TopicsHow to remove Intune policy from a device after its pushed to the device
Hi, I pushed a standard password Intune policy to a windows device and would like to know how to remove this policy from the device once it is pushed to the device already. I excluded this device from the policy and after a day or two, I could see in the Intune portal that this password policy is no longer hitting the device. However, when I try to change the password, it's still hitting the password requirement that I setup before. Any advice would be appreciated.54Views0likes2Commentsintune MDM, IOS device after a restore skips remote Management screen
I am using Intune MDM to enrol the devices. Enrolling a new device with Manged apple ID works without any issues and I can install profile getting all the apps installed via VPP Apps on the device When restoring a device from iCloud or a local computer backup taken on iTunes don’t seems to work as expected after a restore, device skips remote management screen and loads into the phone welcome screen. I am taking the backup of the same device and restoring it back, keeping in mind the device was never MDM managed therefore no management profile has been restored. We are using managed apple id’s so no VPP apps downloaded but due to managed Apple id this blocks the store capability of downloading any apps from app store. The device was added into MDM Intune via apple configurator therefore visible on Intune 1 - Backup to iCloud to keep all data 2 - wiped the device via Erase all content and settings. 3- Added the phone using Apple configurator 4- In ABM I assign the device to the MDM server. 5- kicked in manual sync from Intune. Once the device visible in Intune and profile assigned. start the setup process and select to restore from iCloud or backup from computer. I expected it to restart after the restore and show the remote management screen, but it does not. The only way around this is to restore via iCloud to a different device. This is not ideal Please let us know if you can recommend a better way of doing this therefore restoring the backup on same device and getting remote management configuration to enrol the device on MDM14Views0likes0CommentsAccess Issues due to supervised Device
Hello we have Supvised (ADE) and user affinity iOS devices in our company. The users can log on to their device via their Modern Auth and the whole thing is managed with Intune. As a company, we have access to Azure Virutell clients (Win 11) hosted by our customers. If I now want to access this virtual Azure client via my supervised iPad and the iOS AppWindows App, I receive the message: ‘Warning: incorrect configuration. The administrator wants the apps on this device to be managed via the ‘xxx’ account. [...] To access company data via the ‘yyy’ account, you must unregister your device from the company portal’ Is it possible to define exceptions in Intune so that I can log on to the virtual client with credentials other than those stored in the company portal? best regards25Views0likes1CommentFile types restriction on Android OneDrive
Hi guys, I have an intune to manage android tablet in my company and I am trying to make a policy to restrict downloading (Make available offline), but i don't know how to achieve that. i can't find anything relevant in internet. I would really appreciat it if anyone can help me with that. Summary of the desired result: users of android tablets can make sharepoint folders available offline but only for specific files (pdf, docx,pptx,xlsx) and other file types shouldn't be available offline because of their big size such as (dwg,dxf,stp). Thank you in advance!10Views0likes0CommentsApp Protection Policy Intune iOS Restrict Cut Copy Paste but allow certain third party apps only
The restriction of cut copy and paste is chosen as Microsoft apps only. Even if we push the apps from Company portal as managed apps, even VPP apps, the App protection policy is not getting applied on those apps. Apps are like SAP, Concur, Salesforce, etc,. were used global and widely across many organisations and how are you overcoming these policy restriction by MS Intune on iOS Devices. We have to secure - so that no data should be moved out to any third party apps, also in the meanwhile, we have Business apps like above mentioned to get things done. Tried methods and not working- Sending the UPN as app configuration policy using the third party apps also. Added Custom bundle-id for those apps in the App protection policy. in App PP - under Data Protection - add apps to exempt - also tried with no results. In our existing policy we have chosen "selected apps mode" for app protection policy. and all these apps were selected as Microsoft apps, and its working fine as expected. The cut copy and paste will work only on those apps which we have chosen as selected apps. Remaining all apps the cut copy and paste will be blocked. Now we have a scenario of business apps usage and we have deployed those via Company portal as iOS Store app, users downloaded and using it already. From app management, it shows as managed apps. Requirement here is to have cut, copy and paste from Outlook, Teams to those business apps.75Views0likes2CommentsHotspot through Windows Defender Firewall
I would like to know ALL ports and protocols, services, etc... that need to be whitelisted for hotspot to work with windows defender firewall. Or otherwise the baseline/recommended procedure I have tested to enable the below so far: Inbound/Outbound: UDP:67,68,53, 5355 TCP:443,80, 53 ICMP4/6: protocols 1/58 Types and codes: 0/8 Services: icssvc I still get drop events here and there in Windows Defender firewall logs for ports 80/ICMP, etc...... Any Idea what could be the reason and what is the best way to set this up to allow hotspot access from the device.11Views0likes0CommentsBest Practices for Managing Autopilot Profiles Across Multiple Locations
Hello everyone, I have a question, and I’d like to get your thoughts on it. In a scenario where an organization manages Hybrid Join devices using Autopilot, distributed across different locations, each with its own Autopilot profile, how do you prefer to manage groups and profile assignments? The options I’m considering are: Option 1 Using a single dynamic group (e.g., “All Autopilot Devices”), with a query like: (device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]")) to include all corporate devices, and then assigning profiles using Scope Tags. Option 2 Creating multiple dynamic groups, one for each location (e.g., “Location 1 Autopilot Devices,” “Location 2 Autopilot Devices,” etc.), with queries like: (device.devicePhysicalIds -any (_ -eq "[OrderID]: Location 1")) and then assigning the respective Autopilot profile to each dynamic group. What’s your approach, and what advantages/disadvantages have you encountered? Thank you to anyone willing to share their experience!61Views0likes4Comments[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)
1. Introduction This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow: Conditional Launch Device based wipe request (Stolen/Lost device) User based wipe request (Employee leave the company) How to initiate a wipe There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manuallyinitiating a wipe request (Device based wipe and User base wipe). 2.1.Conditional launch When you configure an app protection policy a selective wipe will be configured. This is part of theconditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed. 2.2.Manually initiate a wipe request Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or presshere.In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe). 2.2.1.Device based wipe request With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy.If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device. Press the button “Create wipe request” in top of the page. 2.Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”. 3.The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”. 4.After successfully performing a wipe, the device will be removed from the device overview that was display on step 2. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made. 2.2.2.User based wipe request When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user. In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe. 2.Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list. 1.The wipe action can be monitored using theUser report(“Apps” -> “Monitor” -> “Reports”) or click here. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made. Author Shady Khorshedis a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.5.3KViews2likes5CommentsSignature update finished. No updates needed. Co-managed device
I have an issue where Security Intelligence update is being delayed by a number of days and can't figure out why. Currently testing migrating from another AV product to Defender for Endpoint(3rd Party AV has been uninstalled) current set up is; Device Hybrid Joined Co-management with SCCM / Intune. SCCM handling Windows Update. Intune managing Defender. (AV, Firewall, ASR, Web Content Filtering) all this works apart from Security Intelligence updates every hour as configured in Intune! Signature Updates appear to wait until they are over 72hrs before updating, and I can't force the update as I get the following: C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate Signature update started . . . Signature update finished. No updates needed Amended SCCM default Antimalware policy sources to WinUpdate and MMPC and to update every 1hr incase these somehow are impacting Can anyone help what could be causing this delay please? MDEClientAnalyzer Results SecurityIntelligenceVersion Please note that this machine is running with outdated security intelligence version. It is recommended to apply the most recent security intelligence version to ensure optimal protection and compatibility. Defender AV Service Status Running Windows Security Center Service Status Running Windows Security Health Service Status Running Defender AV mode Active Defender Network Protection Service Running Defender Network Protection Driver Running Defender AV Platform Version 4.18.23110.3-0 Defender AV Security Intelligence Version 1.403.2882.0 Defender AV engine Version 1.1.23110.2 Defender Is Tamper Protected True Defender Tamper Protection Source Intune Defender Is Tamper Protection Exclusions Enabled False Defender Network Protection Mode Block Mode Enrollment Status Device is managed by MDM Agent (3) Domain Joined YES Azure AD Joined YES Workplace Joined NO MDM Enrollment state MDM enrolled System-wide WinHTTP proxy Direct access (no proxy server). Device has internet access and we'd like the device to update direct from the cloud, no Firewall blocks, device has access and does update sometime after 72hrs.. get-mppreference SignatureFallbackOrder : MicrosoftUpdateServer|MMPC SignatureFirstAuGracePeriod : 120 SignatureScheduleDay : 8 SignatureScheduleTime : 01:45:00 SignatureUpdateCatchupInterval : 1 SignatureUpdateInterval : 1 SubmitSamplesConsent : 1 Get-MpComputerStatus NISSignatureAge : 4 Intune setting from AV Policy:2KViews0likes10CommentsIntune Licensing - Device Enrolment
I am looking for some information on Intune and Device enrolment licensing. Currently, we have Microsoft Entra ID P1. Our setup is in a Hybrid environment. My account (Device Enrolment Manager) has a Microsoft E3 license, which includes Intune. I have configured Enrollment profiles, app deployment, Intune connector for AD, etc. I can enroll devices in Intune using Automatic Enrolment or Autopilot using a single DEM account; then, this device will be given to a different user. For now, I just want to confirm that if I was able to enrol few devices using my account, and I believe there is a limit of 1000 per DEM, does that mean if we do not require an Intune device-only license and if we don't need additional Intune capabilities I am ok to keep enrolling Devices using single Device Enrolment manager account? I just want to make sure we are not breaking any MS license agreements. Or do you require an Intune license as soon as the device is enrolled in Intune, regardless of whether you require additional Intune features? Thanks!91Views0likes5Comments